2025 Year in Review: FINTRAC Enforcement Actions and AML Penalties Explained

Crypto and MSBs: Control Failures

Crypto-related firms accounted for over 40% of FINTRAC's total AMP volume in 2025, underscoring the regulator's increasing focus on virtual assets and decentralized financial platforms.

Xeltox Enterprises Ltd. (Cryptomus) received a staggering $176.9 million fine (FINTRAC notice)—the largest in Canadian AML history. Xeltox failed to report over 2,500 large virtual currency transactions and 1,000+ suspicious transactions, lacked any written compliance program, and failed to notify FINTRAC of key MSB registration changes. These breaches violated PCMLTFA sections 7, 9.6, and 11.1. Had the firm implemented even a basic compliance framework—appointing a compliance officer, documenting AML procedures, and using automated reporting tools—it could have mitigated the fallout.

Peken Global Limited (KuCoin) was penalized $19.5 million (FINTRAC release) for operating as an unregistered foreign MSB in Canada and failing to report 2,952 qualifying transactions. With no local compliance infrastructure or reporting oversight, KuCoin’s failures were systemic. Registering properly and assigning a compliance lead with knowledge of PCMLTFA obligations could have changed the outcome.

Casinos: Risk-Rated Monitoring and STR Failures

Saskatchewan Indian Gaming Authority (SIGA) received $1.17 million in fines (announcement) for missing STRs and submitting incomplete reports. FINTRAC found that 41% of patrons reviewed lacked any documented risk rating. Stronger onboarding risk procedures, automated transaction monitoring, and employee escalation protocols could have corrected this.

British Columbia Lottery Corporation (BCLC) was fined $1.075 million (source) for failing to escalate suspicious activity involving high-risk patrons and not applying required special measures under s.9.6(3). An EDD protocol linked to high-value player behavior, along with compliance training tailored for frontline staff, would have improved detection and reporting.

CNE Casino faced a $199,000 fine (FINTRAC post) for not performing any documented AML risk assessments or testing its program. These foundational tasks—required under PCMLTFA—could have been addressed with a calendar-based compliance cycle and an effectiveness checklist.

Precious Metals, Stones, and Real Estate: Missing the Basics

Spence Diamonds Ltd. was fined $264,000 (notice) after it failed to report suspicious activity and implement a compliant AML program. Red flags—structured cash sales and attempts to avoid ID—went unreported. A transaction risk scoring tool and regular scenario-based staff training could have filled the gap.

HRA Group Holdings received a $132,000 penalty (FINTRAC release) for having no AML policies, risk assessment, or effectiveness testing. With no framework to guide employees, AML obligations were simply ignored. A templated AML compliance manual and annual internal reviews could have helped ensure basic program implementation.

Immeubles Jack Sera Inc. and Immeubles Village Pointe-Claire Inc. were fined $107,250 and $36,360, respectively (May 2025 notices). Lapses included missing KYC records and absent training programs. Using digital client onboarding systems and scheduled refresher training would likely have prevented these issues.

Securities Sector: Documentation Gaps and Outdated Policies

Canaccord Genuity Corp. incurred a $544,500 fine (announcement) for failing to report STRs and not integrating Ministerial Directives into its AML program. These lapses stemmed from outdated procedures and weak compliance testing. Conducting annual policy reviews and scenario testing against known risks (e.g. DPRK sanctions) could have prevented the enforcement.

Argosy Securities Inc. and Hub Capital Inc. were fined $66,000 and $99,000  for having insufficient policies, no documented risk assessment, and no formal compliance review. These oversights are avoidable with a compliance roadmap, policy approval logs, and board oversight.

Primary Capital Inc. received a $93,390 fine (FINTRAC summary) after failing to identify domestic PEPs and skipping its biannual review. These errors reflect a lack of up-to-date onboarding protocols and risk-based screening. A compliance calendar with triggers for reviews and a PEP screening checklist could have solved this.

Financial Institutions: STR Shortfalls and Monitoring Gaps

First Nations Bank of Canada (FNBC) was fined $601,139.80 (FINTRAC release) for not filing STRs in nearly one-third of cases reviewed. It also failed to consistently monitor high-risk clients and maintain a complete compliance framework. Enhanced STR triggers tied to behavioral anomalies and risk-tiered monitoring protocols would have closed these gaps.

Cambrian Credit Union received a $116,160 fine (report) for missing EFT reports and maintaining weak AML documentation. Conducting quarterly data validations and establishing STR review committees would have enhanced accuracy and compliance.

Professional Services: Long Gaps Between Reviews

DMCL Chartered Professional Accountants incurred a $72,750 fine (source) for not reviewing its AML program for four years. It also had gaps in PEP screening and senior officer approval. Integrating compliance checkpoints into firm operations and flagging overdue reviews would have ensured timely program maintenance.

What Compliance Teams Can Learn

Across sectors, recurring problems included:

• Outdated or undocumented policies and procedures

• No written risk assessments or staff training

• Failure to file required reports, especially STRs

• No effectiveness testing or leadership oversight

How to Strengthen Your Program:

1. Build a compliance calendar tied to regulatory timelines

2. Assign program testing to an independent reviewer

3. Invest in transaction monitoring automation

4. Maintain training logs and policy approval history

5. Use risk-tiered onboarding workflows with PEP/STR escalation triggers

FAQs: Avoiding FINTRAC Penalties – What Every Compliance Officer Should Know

Q: How can we proactively prevent FINTRAC penalties?

A: Start by ensuring your AML program includes written procedures, risk assessments, and ongoing training. Review your STR and LCTR processes quarterly and assign clear responsibility to a CAMLO or MLRO. Use third-party reviews to test effectiveness.

Q: What’s the biggest mistake organizations made in 2025?

A: Failure to implement or update AML programs. Most firms penalized lacked risk-based controls, missed STR filings, or didn’t conduct effectiveness reviews.

Q: Is investing in compliance really worth it?

A: Absolutely. Even modest investments in documentation, automation, and training can prevent million-dollar penalties and reputational damage. The ROI on prevention far outweighs the cost of enforcement.

Q: What tools can help us stay on track?

A: Use AMLI's Effectiveness Review, CAMLO support, and training services to benchmark your program against regulatory expectations.

Key Takeaways

• FINTRAC issued over $200 million in AMPs in 2025, targeting all sectors

• Crypto, casino, and securities firms saw the largest enforcement

• Weak AML programs and missed reports were the most common failures

• Every penalty could have been mitigated through better oversight, training, and testing

2025 enforcement trends make one thing clear: compliance failures will be penalized—publicly and severely. Whether you're a crypto platform, real estate broker, or investment dealer, a weak compliance posture is no longer sustainable. AMLI supports firms in building resilient, risk-based compliance programs through effectiveness reviews, CAMLO support, and tailored training.

Read More:

• How to Prepare for a FINTRAC Examination

• AML Risk Assessment Guide for Canadian Entities

• The Hidden Burden of RPAA: Continuous Compliance and the CRO Requirement

• Top 10 AML Red Flags Every Compliance Officer Must Know

Services

• MSB Registration

• CAMLO/MLRO Outsourcing

• Effectiveness Reviews

• Regulatory Remediation

• AML Compliance Training